Sign-up

ID

VAR-201902-0447


CVE

CVE-2019-1679


TITLE

plural Cisco Server-side request forgery vulnerability in the product

Trust: 0.8

sources: JVNDB: JVNDB-2019-001901

DESCRIPTION

A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the affected server. Versions prior to XC4.3.4 are affected. Multiple Cisco Products are prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Cisco Bug ID's CSCvn33987 and CSCvn51692. Cisco Expressway Series, etc. The Cisco Expressway Series is an advanced collaboration gateway for unified communications

Trust: 1.98

sources: NVD: CVE-2019-1679 // JVNDB: JVNDB-2019-001901 // BID: 106940 // VULHUB: VHN-148971

AFFECTED PRODUCTS

vendor:ciscomodel:telepresence conductorscope:ltversion:xc4.3.4

Trust: 1.8

vendor:ciscomodel:telepresence video communication serverscope:ltversion:x12.5

Trust: 1.0

vendor:ciscomodel:telepresence video communication server softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:telepresence video communication serverscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:telepresence conductorscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:expressway seriesscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:telepresence video communication serverscope:neversion:x12.5

Trust: 0.3

vendor:ciscomodel:telepresence conductor xc4.3.4scope:neversion: -

Trust: 0.3

sources: BID: 106940 // JVNDB: JVNDB-2019-001901 // NVD: CVE-2019-1679

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1679
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1679
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1679
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201902-306
value: MEDIUM

Trust: 0.6

VULHUB: VHN-148971
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1679
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-148971
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1679
baseSeverity: MEDIUM
baseScore: 5.0
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.1
impactScore: 1.4
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1679
baseSeverity: MEDIUM
baseScore: 5.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.1
impactScore: 1.4
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-148971 // JVNDB: JVNDB-2019-001901 // CNNVD: CNNVD-201902-306 // NVD: CVE-2019-1679 // NVD: CVE-2019-1679

PROBLEMTYPE DATA

problemtype:CWE-918

Trust: 1.9

sources: VULHUB: VHN-148971 // JVNDB: JVNDB-2019-001901 // NVD: CVE-2019-1679

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-306

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201902-306

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-001901

PATCH
title:cisco-sa-20190206-rest-api-ssrfurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-rest-api-ssrf
Trust: 0.8
title:Cisco TelePresence Conductor , Expressway Series  and TelePresence Video Communication Server Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89114
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-001901 // 
            
            
            
            CNNVD: CNNVD-201902-306

EXTERNAL IDS
db:NVDid:CVE-2019-1679
Trust: 2.8
db:BIDid:106940
Trust: 2.0
db:JVNDBid:JVNDB-2019-001901
Trust: 0.8
db:CNNVDid:CNNVD-201902-306
Trust: 0.7
db:VULHUBid:VHN-148971
Trust: 0.1
sources:
            
            
            VULHUB: VHN-148971 // 
            
            
            
            BID: 106940 // 
            
            
            
            JVNDB: JVNDB-2019-001901 // 
            
            
            
            CNNVD: CNNVD-201902-306 // 
            
            
            
            NVD: CVE-2019-1679

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190206-rest-api-ssrf
Trust: 2.0
url:http://www.securityfocus.com/bid/106940
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-1679
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1679
Trust: 0.8
url:http://www.cisco.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-148971 // 
            
            
            
            BID: 106940 // 
            
            
            
            JVNDB: JVNDB-2019-001901 // 
            
            
            
            CNNVD: CNNVD-201902-306 // 
            
            
            
            NVD: CVE-2019-1679

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 106940

SOURCES
db:VULHUBid:VHN-148971
db:BIDid:106940
db:JVNDBid:JVNDB-2019-001901
db:CNNVDid:CNNVD-201902-306
db:NVDid:CVE-2019-1679

LAST UPDATE DATE
2024-11-23T22:17:07.766000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-148971date:2019-10-09T00:00:00
db:BIDid:106940date:2019-02-06T00:00:00
db:JVNDBid:JVNDB-2019-001901date:2019-03-28T00:00:00
db:CNNVDid:CNNVD-201902-306date:2019-11-29T00:00:00
db:NVDid:CVE-2019-1679date:2024-11-21T04:37:04.907

SOURCES RELEASE DATE
db:VULHUBid:VHN-148971date:2019-02-07T00:00:00
db:BIDid:106940date:2019-02-06T00:00:00
db:JVNDBid:JVNDB-2019-001901date:2019-03-28T00:00:00
db:CNNVDid:CNNVD-201902-306date:2019-02-06T00:00:00
db:NVDid:CVE-2019-1679date:2019-02-07T21:29:00.217